� PGP | Main | Blog Patronage: A Token of Affection �

March 14, 2005

Harvard Admission: Do Not Open Until Christmas

Like most folks in the news-junkie class, I found out in the past week or so that Harvard busted some 'hackers' who apparently broke into an Admissions database. The story was somewhat beneath my radar for caring and I only made a mental note in passing that it sounds like another blow against the ethics of certain of our future leaders. There was some quibbling somewhere and then the story came out. All 119 students accused were summarily rejected by the University. Then I found out more.

Over the past week I have been literally obsessing about security (I'll explain that later) and have set up a dozen or so new RSS feeds from security blogs. I have learned so much! The latest of these informs me that the 'hack' was accomplished by twiddling with the URL at the website. In other words the security was so stupid as to be inconsistent with the very idea of secured information.

It turns out that all applicants to the Harvard Business School were given accounts on a website:

HBS interacts with applicants via a third-party site called ApplyYourself. Harvard had planned to notify applicants whether they had been admitted, on March 30. Somebody discovered last week that some applicants' admit/reject letters were already available on the ApplyYourself website. There were no hyperlinks to the letters, but a student who was logged in to the site could access his/her letter by constructing a special URL. Instructions for doing this were posted in an online forum frequented by HBS applicants. (The instructions, which no longer work due to changes in the ApplyYourself site, are reproduced here.) Students who did this saw either a rejection letter or a blank page. (Presumably the blank page meant either that HBS would admit the student, or that the admissions decision hadn't been made yet.) 119 HBS applicants used the instructions.

This reminds me of an old Bill Cosby story about his mean Uncle Charles. All year long Uncle Charles promises little Bill that if he's good, he's going to get a bicycle for Christmas. As the holiday season rolls around, little Bill asks if he has been good enough. Uncle Charles plays coy, saying nothing, but the twinkle in his eye suggests that Bill will be riding happily on Christmas Day. As the day gets closer, Bill pesters his uncle more and more, until one day he does so and upsets Uncle Charles' drink. Uncle Charles, in a fit of rage says "Yes I was going to get you a bicycle, but now you just ruined it." Bill is crushed.

This is clearly cruelty and it is essentially no different from what HBS has done to its applicants. It had made a decision upon the basis of what the students had already accomplished, and then arbitrarily extended a new 'ethics' criteria based. I don't see a way that HBS can wiggle their way out of this. If the decision to admit or reject had already been made, the application of additional contingencies represents a breach of good faith and draws suspicion on the integrity of the decision process.

That admissions status was available to website members when it should not have been is a technical problem, but it also represents a flaw in the admissions process. Clearly there were significant reasons why the ApplyYourself website was built and populated with student's personal information. It's reasonable to assume that chief among those reasons were transparency of the admissions process and speed of delivery of information. Two steps forward. But too much speed and transparency costs a decision reversal? After all, whose information is it anyway?

Harvard hid the status of these applicants in plain sight. It invited students into a private room with their name on the door ostensibly for the purposes of giving and taking pertinent information. In one corner of this room is their acceptance/rejection letter, addressed to the applicant with the implied warning, 'Do not open until Christmas'. That's cruel.

Understand that it is a non-trivial process to get information from Harvard's Admissions Committee, whomever they may be, onto a third-party website. Whatever that process may be, it is certainly more complicated than stuffing envelopes, stamping them and holding them to be mailed. Nevertheless, by sending this information to the third-party who is doing the work of adding content to the website, Harvard was waving it under the nose of the applicants. I grant that using reasonable security would have solved the technical problem, but that doesn't alter the fact that withholding the information due to applicants is an irresponsible injection of drama and punishing those previously accepted is harshly cruel. Harvard clearly was not administratively ready to modify its admissions process to include this sort of website. The ironic result is that aspects of its process have become embarassingly transparent.

Harvard should reinstate the students who were previously accepted on a deferred admit basis, fire ApplyYourself and keep all further admission information on paper, on campus & under lock and key.

Posted by mbowen at March 14, 2005 09:55 AM

Trackback Pings

TrackBack URL for this entry:


Technically, they are guilty of computer tampering.

Just because you can figure out a way to get to it, it doesn't mean you are allowed to get to it. You have to be authorized to get to it, and they were not.

Posted by: EBrown at March 14, 2005 01:11 PM

um, no they were authorized to get to it, as far as i understand.

they supplied no false information, they simply changed the url they were looking at

if there was a condition, clearly stated and not buried in click through TOS, that they could only access things to which they had specifically been given access and any looking around would be dealt with harshly, then this would be better, but as far as i can tell there was no such warning. most companies have this, saying that you're only supposed to look at things you need for your job, irrespective of access permissions you may have.

if you publish a website, and make a directory browsable, people who browse the directory are not "tampering" they are looking at what you have published. it's your fault that you published too much. if people use a hacking tool to get admin privileges on your system and look around, thats hacking.

it's like givin people a copy of the final along with a package of sample questions. just cause it was after several blank pages and upside down doesn't make it "theft"... you gave it to them in the first place, they just found it.

of course, this argument is based on an understanding that people were only tweaking the URL and were not supplying false credentials to the site.

Posted by: hey at March 18, 2005 06:37 AM